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Click here for more information. 



Recent news reports about leaked classified documents have caused concern from the 
cryptographic community about the security of NIST cryptographic standards and 
guidelines. NIST is also deeply concerned by these reports, some of which have 
questioned the integrity of the NIST standards development process. 

NIST has a proud history in open cryptographic standards, beginning in the 1970s with 
the Data Encryption Standard. We strive for a consistently open and transparent 
process that enlists the worldwide cryptography community to help us develop and vet 
algorithms included in our cryptographic guidance. NIST endeavors to promote 
confidence in our cryptographic guidance through these inclusive and transparent 
development processes, which we believe are the best in use. 

Trust is crucial to the adoption of strong cryptographic algorithms. To ensure that our 
guidance has been developed according the highest standard of inclusiveness, 
transparency and security, NIST has initiated a formal review of our standards 
development efforts. We are compiling our goals and objectives, principles of 
operation, processes for identifying cryptographic algorithms for standardization, 
methods for reviewing and resolving public comments, and other important procedures 
necessary for a rigorous process. 

Once complete, we will invite public comment on this process. We also will bring in an 
independent organization to conduct a formal review of our standards development 
approach and to suggest improvements. Based on the public comments and 
independent review, we will update our process as necessary to make sure it meets our 
goals for openness and transparency, and leads to the most secure, trustworthy 
guidance practicable. 

Furthermore, we will be reviewing our existing body of cryptographic work, looking at 
both our documented process and the specific procedures used to develop each of 
these standards and guidelines. If any current guidance does not meet the high 
standards set out in this process, we will address these issues as quickly as possible. 

Our mission is to protect the nation's IT infrastructure and information through strong 
cryptography. We cannot carry out that mission without the trust and assistance of the 
world's cryptographic experts. We're committed to continually earning that trust. 

Contact: 

Donna Dodson, Chief, Computer Security Division 
donna. dodsonOnist. gov 
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NIST SOLICITS COMMENTS ON ITS CRYPTOGRAPHIC STANDARDS 
DEVELOPMENT PROCESS 

Summary: 

NIST requests comments on Draft NIST Interagency Report 7977 , NIST 
Cryptographic Standards and Guidelines Development Process. This document 
describes the principles, processes and procedures behind our cryptographic 
standards development efforts. Please send comments to crypto-review@nist.gov by 
April 18, 2014. 

Background: 

In November 2013, NIST initiated a review of its cryptographic standards development 
process in response to public concerns about the security of NIST cryptographic 
standards and guidelines. 

To enable this review, we have compiled information about the principles, processes 
and procedures that drive our cryptographic standards development efforts to help the 
public understand how we develop our standards. This information is being published 
in draft NIST IR 7977, NIST Cryptographic Standards and Guidelines Development 
Process. We are soliciting public comments on this draft NIST IR to obtain feedback on 
the mechanisms we use to engage experts in industry, academia and government to 
develop these standards. 

We will review all public comments, post them on the CSRC website, and publish a 
revised NIST IR based on the feedback we receive. This revised publication will serve 
as basis for our future standards development efforts. 

The revised NIST IR 7977 will also serve as the basis for a review of our existing body 
of cryptographic work. We will examine the procedures used to develop each of our 
cryptographic standards or guidelines to ensure they were developed in accordance 
with the principles outlined in NIST IR 7977. If any current guidance does not meet the 
high standards set out in this process, we will address these issues as quickly as 
possible, taking into consideration the process used to develop the guidance and a 
technical review of the affected cryptographic algorithms or schemes. 

Note to Reviewers: 

As part of your review of NIST IR 7977, we request comments on the following topics: 

Are there other principles that we should use to drive our standards development 
efforts? 

What are the most effective processes identified in the draft for engaging the 
cryptographic community for providing the necessary inclusivity and transparency to 
develop strong, trustworthy standards? Are there other processes we should 
consider? 

Do these processes include appropriate mechanisms to ensure proposed standards 
are thoroughly reviewed and interested parties' views are heard? Are there other 
mechanisms that should be included in our process? 

What are other communication channels that NIST should consider to effectively 
communicate with its stakeholders? 

Back to Top of Page 



Cryptographic Technology 

Cryptographic Standards 
Development Process Review 

NIST Solicits Comments on the 
Process 

e-Authentication Initiative 

Cryptographic Applications & 
Infrastructures 

Cryptographic Toolkit 

Cryptographic Key Management 
Project 

Cryptographic Research Projects 

Security Aspects of Electronic 
Voting 

Cryptographic Hash Project 
FIPS 140-3 (Draft) 
NIST Randomness Beacon 
Crypto Reading Club 
Workshops and Events 



CSRC Webmaster . Disclaimer Notice & Privacy Policy 
NIST is an Agency of the U.S. Department of Commerce 

Last updated: February 20, 2014 



2/24/2014 7:08 PM 



NISTIR 7977 



NIST Cryptographic Standards and 
Guidelines Development Process 

(Draft) 



The Cryptographic Technology Group 



imist 

National Institute of 
Standards and Technology 

U.S. Department of Commerce 



NISTIR 7977 



NIST Cryptographic Standards and 
Guidelines Development Process 

(Draft) 



The Cryptographic Technology Group 
Information Technology Lab 



February 2014 




U.S. Department of Commerce 

Penny Pritzker, Secretary 

National Institute of Standards and Technology 
Patrick D. Gallagher, Under Secretary of Commerce for Standards and Technology and Director 



National Institute of Standards and Technology Interagency or Internal Report 7977 

14 pages (February 2014) 



Certain commercial entities, equipment, or materials may be identified in this document in order to 
describe an experimental procedure or concept adequately. Such identification is not intended to imply 
recommendation or endorsement by NIST, nor is it intended to imply that the entities, materials, or 
equipment are necessarily the best available for the purpose. 

There may be references in this publication to other publications currently under development by NIST 
in accordance with its assigned statutory responsibilities. The information in this publication, including 
concepts and methodologies, may be used by Federal agencies even before the completion of such 
companion publications. Thus, until each publication is completed, current requirements, guidelines, 
and procedures, where they exist, remain operative. For planning and transition purposes, Federal 
agencies may wish to closely follow the development of these new publications by NIST. 

Organizations are encouraged to review all draft publications during public comment periods and 
provide feedback to NIST. All NIST Computer Security Division publications, other than the ones 
noted above, are available at http://csrc.nist.gov/publications. 



Public comment period: February 18, 2014 through April 18, 2014 

National Institute of Standards and Technology 

Attn: Computer Security Division, Information Technology Laboratory 
100 Bureau Drive (Mail Stop 8930) Gaithersburg, MD 20899-8930 
Email: crypto-review@nist.gov 
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Reports on Computer Systems Technology 

The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology 
(NIST) promotes the U.S. economy and public welfare by providing technical leadership for the Nation's 
measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of 
concept implementations, and technical analyses to advance the development and productive use of 
information technology. ITL's responsibilities include the development of management, administrative, 
technical, and physical standards and guidelines for the cost-effective security and privacy of other than 
national security-related information in Federal information systems. 



Abstract 



This document describes the principles, processes and procedures that drive our cryptographic standards 
development efforts. This draft document will be revised based on the feedback received during the 
public comment period, and the revised publication will serve as basis for NIST's future standards 
development efforts. It will also serve as the basis for the review of NIST's existing body of 
cryptographic standards and guidelines. 
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1 Introduction 

2 The Computer Security Division (CSD), a part of the Information Technology Laboratory (ITL) 

3 at the National Institute of Standards and Technology (NIST) is responsible for developing 

4 standards (i.e., Federal Information Processing Standards), guidelines (NIST Recommendations), 

5 tests, and metrics to protect non-national security federal information systems. Cryptographic 

6 standards and guidelines for the protection of sensitive federal information in transit or storage 

7 have always been a key component of this effort. These standards must be robust and have the 

8 confidence of the cryptographic community in order to be widely adopted and effective at 

9 securing information systems worldwide. 

10 To ensure these standards provide high-quality, cost-effective security mechanisms, NIST works 

1 1 closely with a broad stakeholder community to select, define and promulgate these standards and 

12 guidelines. NIST's stakeholder community includes subject matter experts, academia, 

13 government agencies, and sectors and organizations that voluntarily adopt NIST cryptographic 

14 standards. NIST has found that open and transparent processes are critical to developing the 

15 most secure and trusted cryptographic standards possible. NIST strives to engage all of its 

16 stakeholders in these processes. 

17 Principles 

18 NIST believes equitable standards development processes produce the strongest, most effective, 

19 and most highly trusted cryptographic standards. The following principles guide NIST's 

20 standards and guidelines development processes. 

21 Transparency: All interested and affected parties have access to essential information regarding 

22 standards-related activities and venues. NIST is committed to transparency in the development 

23 and documentation of its cryptographic standards with respect to the selection and evaluation 

24 criteria, specification, security and performance characteristics, and provenance of proposed 

25 standards or guidelines. NIST strives to be transparent with all stakeholders by informing and 

26 involving them through presentations at conferences and standards meetings, and publication of 

27 draft documents for public review. 

28 Openness: Participation is open to all interested and affected parties. All stakeholders, including 

29 security professionals, researchers, standards development organizations, and users, have an 

30 opportunity to be involved in the standards and guidelines development process. NIST strives to 

31 maintain this open process by posting draft documents for public comment, holding public 

32 workshops and conferences, and engaging the cryptographic community at industry and 

33 academic events. 

34 Technical Merit: NIST's decisions during the development of cryptographic standards and 

35 guidelines are based on the technical merit of a proposal. NIST strives to standardize 

36 cryptographic algorithms, schemes, and modes of operation whose security properties are well 

37 understood. 
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38 Balance: NIST strives to achieve balance of interests among stakeholders, weighing these 

39 interests to develop cryptographic standards that are secure, efficient, and promote 

40 interoperability. NIST solicits input from a wide-range of stakeholders representing government, 

41 industry and academia to ensure its standards are strong, practical, and meet the needs of the 

42 Federal government as well as the broader user community. 

43 Integrity: NIST serves as an impartial technical authority when developing cryptographic 

44 standards and guidelines. When evaluating, selecting, and standardizing cryptographic 

45 algorithms, NIST strives to maintain its objectivity when it forms and documents its 

46 decisions. Continuous Improvement: During the course of the development of cryptographic 

47 algorithms, the cryptographic community is encouraged to identify weaknesses, vulnerabilities, 

48 or other deficiencies in cryptographic functions specified in NIST publications. When 

49 vulnerabilities are identified, NIST engages with the broader cryptographic community to 

50 address them. 

51 Stakeholders 

52 NIST's statutory responsibility is to develop cryptographic standards and guidelines for 

53 protecting sensitive government information on non-national security systems. These are widely 

54 used across the federal government. However, NIST cryptographic standards have long been 

55 voluntarily adopted by other public and private organizations. For example, the Data Encryption 

56 Standard (DES), published as Federal Information Processing Standard (FIPS) 46 in 1977, filled 

57 a critical need for the financial services industry at a time when electronic transactions were 

58 becoming commonplace. NIST cryptographic standards and guidelines continue to be 

59 voluntarily adopted in the private sector, particularly in the financial and health care sectors. 

60 The national security community within the United States federal government has also adopted a 

61 subset of NIST's cryptographic standards and guidelines through the Suite B program. The 

62 NIST algorithms that comprise Suite B have been approved by the National Security Agency 

63 (NSA) to protect classified information up to the Secret level, with a class of algorithms with 

64 larger key sizes approved to protect information at the Top Secret level. NIST works closely 

65 with the NSA in the development of cryptographic standards. This is done because of the NSA's 

66 vast expertise in cryptography and because NIST, under the Federal Information Security 

67 Management Act of 2002, is statutorily required to consult with the NSA on standards. 

68 Standards Developing Organizations (SDOs) have also adopted NIST cryptographic standards as 

69 foundational building blocks for security protocols. For example, the Advanced Encryption 

70 Standard (AES) block cipher is included in ISO/IEC 18033-3:2010, is the preferred block cipher 

71 for IEEE 802.1 1 to secure wireless networks, and is mandatory to implement in version 1.2 of 

72 the IETF's Transport Layer Security (TLS) protocol. 

73 This widespread adoption has had significant benefits for all participating communities, whether 

74 they are participating by statute or by choice. Widespread international adoption has resulted in 

75 widespread availability of commercial products supporting strong cryptography. In combination 

76 with international standards, security services that are globally interoperable have permitted an 

77 explosion of e-commerce internationally. 
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78 NIST works closely with experts in industry, academia and government to develop its 

79 cryptographic standards and guidelines. Since the development of DES, the community 

80 researching and developing cryptographic technologies within industry and academia has 

81 expanded greatly. Using the mechanisms and processes described in this document, NIST works 

82 with these stakeholders to identify areas where standards or guidelines are needed, evaluate 

83 proposals, and develop standards or publications. NIST's role as a well-respected and trusted 

84 technical authority in this field is to balance these needs to ensure that its standards and 

85 guidelines are technically sound and have the confidence of the community. 

86 Engaging the Cryptographic Community 

87 NIST uses a variety of mechanisms to engage its stakeholders in academia, industry, and 

88 government in the development of its cryptographic standards and guidelines. These 

89 mechanisms include holding international competitions to select new cryptographic algorithms, 

90 participating in SDOs, and developing new standards in collaboration with cryptographers 

91 around the world. 

92 Cryptographic Competitions 

93 Cryptographic algorithm competitions allow NIST to standardize a state-of-the-art, widely 

94 accepted cryptographic primitive by involving the international cryptographic research 

95 community in a fair, open-design competition to select an algorithm that NIST will standardize 

96 and promote. Interested parties have an opportunity to participate in the competition by 

97 publishing research papers, submitting comments, and attending public workshops. Researchers 

98 contribute candidate designs and papers on theory, cryptanalysis and performance. The winning 

99 submitters are recognized, but agree to relinquish claim to intellectual property rights for their 

100 design so that the winning candidate can be available for royalty-free use. NIST determines the 

101 algorithm submission requirements and selection criteria, organizes workshops, hosts a 

102 competition website and e-mail discussion forum, selects the winning algorithm (based on its 

103 own analysis and that of the public), and explains and documents the selection. 

104 A typical competition starts with a public dialog on the need and requirements for a new 

105 algorithm, both on-line and through public workshop(s), as well as a Federal Register 

106 announcement inviting comment on NIST's proposed criteria. A subsequent Federal Register 

107 announcement states the submission requirements, schedule and selection criteria. A candidate 

108 conference is held, usually juxtaposed with a major cryptographic research conference, for each 

109 "round" of the competition to review the candidates and research results (i.e., cryptanalysis, 

110 performance and proofs of properties) on the candidates. Following each round, NIST 

111 announces the candidates selected to continue to the next round, and provides a report that 

1 12 documents the rationale for the selections. This winnowing allows the community to focus its 

113 analytical efforts on the most promising candidates. The last round usually has about five strong 

1 14 candidates. Following the final candidate conference, NIST selects the winner, writes a final 

115 report and formally proposes a standard for the algorithm through the normal FIPS process. 
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1 16 Adoption of Existing Standards 

1 17 NIST participates in Standards Development Organizations (SDOs), either as a member 

1 2 

118 organization (e.g., X9, Inc. working groups, INC ITS technical committees), or as individual 

1 19 representatives (e.g., IEEE SA 3 working groups and IETF 4 working groups). NIST experts also 

120 participate in some international SDOs through US National Body or Member State 

121 representation. ANSI 5 is the sole US representative for two major non-treaty international 

122 standards organizations, the International Organization for Standardization (ISO), and, via the 

123 US National Committee (USNC), the International Electro technical Commission (IEC). For 

124 treaty-based international standards bodies, such as the International Telecommunication Union 

125 (ITU), the Department of State represents the US. 

126 The principles used to develop voluntary consensus standards within SDOs are outlined in OMB 

127 Circular A-l 19, which instructs agencies to consider the use of these standards except where 

128 inconsistent with law or otherwise impractical. Active participation in such SDOs helps to 

129 ensure that NIST cryptographic standards and guidelines are highly secure and interoperable 

130 with its international partners. When appropriate, SDO publications are referenced in NIST 

131 guidance publications . 

132 Development of New Standards 

133 When NIST identifies a requirement for a standard and determines that no suitable standard 

134 already exists, NIST often develops a guidance document for use by Federal agencies. If there is 

135 also broader applicability, NIST may offer the guidance document or an adaptation of the 

136 document as a contribution to an SDO standards activity. NIST experts in cryptographic 

137 algorithms and standards develop these guidance documents in collaboration with experts in 

138 academia, industry and government. Transparency and collaboration is accomplished through 

139 formal public review processes and interaction with experts at public workshops and standards 

140 meetings. For the development of new, basic cryptographic functions, NIST may invite 

141 contributions from the public and hold a formal competition. In some cases, NIST guidance 

142 publications are offered as contributions to and form a basis for SDO standards. 

143 NIST Publications 

144 NIST uses several types of documents to publish and disseminate its cryptographic standards and 

145 guidelines. Three categories of NIST publications are commonly used: Federal Information 

146 Processing Standards, Special Publications, and Interagency Reports. Draft and final 

147 cryptographic standards and guidelines are posted by NIST on its Computer Security Resource 

148 Center web pages and are freely available to anyone. 



1 X9, Inc., Financial Industry Standards. 
InterNational Committee for Information Technology Standards. 

3 Institute of Electronic and Electrical Engineers Standards Association. 

4 Internet Engineering Task Force. 

5 American National Standards Institute. 
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149 Federal Information Processing Standards (FIPS): FIPS publications are issued by NIST 

150 after approval by the Secretary of Commerce pursuant to Section 5131 of the Information 

151 Technology Reform Act of 1996 (Public Law 104-106) and the Federal Information Security 

152 Management Act of 2002 (Public Law 107-347). FIPS publications are used by NIST to 

153 publish standards for fundamental cryptographic primitives, such as block ciphers, digital 

154 signature algorithms, and hash functions. 

155 Special Publications (800 Series): The Special Publication 800 series document a wide range 

156 of research, guidelines, and outreach efforts in computer security. Cryptographic guidelines 

157 in the 800 series build upon the primitives specified in FIPS publications, sometimes 

158 specifying additional cryptographic algorithms, schemes and modes of operation, as well as 

159 providing guidance for their use. For example, Special Publications in the 800 series specify 

160 random bit generators, block cipher modes of operation, key-derivation functions, and key- 

161 establishment schemes. These algorithms and schemes use the block ciphers, hash functions, 

162 and mathematical primitives defined in FIPS publications as fundamental building blocks. In 

163 addition, NIST also issues guidelines on the selection and use of cryptographic algorithms in 

164 800 series Special Publications. 

165 NIST Interagency Reports (NISTIR): NIST IRs describe technical research of interest to a 

166 specialized audience. NIST does not specify cryptographic algorithms in NIST IR 

167 publications. Instead, NIST uses NIST IR publications to disseminate information about its 

168 cryptographic standards efforts. Historically, the Computer Security Division has used NIST 

169 IRs to publish workshop and conference reports, discussion documents on new challenges in 

170 cryptography, and status reports on cryptographic algorithm competitions. 

171 While any NIST publication containing cryptographic standards or guidelines is first released as 

172 a draft for public comment, the specific development process differs by publication type. 

173 Because FIPS are mandated by formal legislation, and the algorithms they specify are at the heart 

174 of many critical security technologies, FIPS publications undergo the most formal development 

175 process. FIPS documents are developed by NIST, but approved and promulgated by the 

176 Secretary of Commerce. Formal announcements for draft and final FIPS documents are 

177 published in the Federal Register. As such, FIPS documents tend to have much longer 

178 development cycles than Special Publications. Special Publications are promulgated by NIST, 

179 with announcements posted on the Computer Security Division website. Special Publications 

180 have a shorter development cycle and usually are not announced in the Federal Register but are 

181 posted for a specified public comment period for external review and participation. 

182 Public Review and Outreach 

183 NIST strives in its cryptographic standards and guidance activities to be as open, and transparent 

184 as possible. NIST provides public notice of its activities in cryptography including: 

185 • Plans for cryptographic standards and recommendations, 

186 • Invitations for public participation in workshops that discuss topics in cryptography and 

187 its standardization, 
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188 
189 
190 
191 



Announcements of the availability of draft cryptographic standards and recommendations 
for public review and comment, and 

Announcements of the adoption of cryptographic standards and recommendations for use 
by the US Federal Government. 



192 All announcements are posted and available on the Computer Security Division website 

193 ( http://csrc.nist.gov ), while major announcements, including those proposing the adoption of 

194 FIPS and inviting comments on a proposed standard, are also announced in the Federal Register. 

195 In addition, press releases usually accompany significant announcements, and sometimes 

196 Information Technology Laboratory (ITL) Security Bulletins are posted that provide information 

197 about the use of cryptographic standards and recommendations. In some cases, NIST maintains 

198 a public email forum for ongoing open discussion of subjects relevant to cryptographic standards 

199 or research activities. 

200 The primary feedback mechanism for NIST cryptographic designs and implementation guidance 

201 is the posting of drafts and requests for public comment on the Computer Security Division 

202 website. Comment periods depend on the size and complexity of the drafts, as well as any prior 

203 history of public exposure and commentary, but typically run from 30 to 90 days. Comments 

204 may be submitted as electronic mail messages, transmission of electronically completed 

205 comment templates, or as hard copy correspondence. If the nature or extent of changes to a draft 

206 resulting from the comments is sufficiently extensive, one or more additional cycles of public 

207 review may be conducted. Comments received on draft FIPS, and their dispositions, are 

208 summarized in the Federal Register Notice announcing the approval of a new or revised 

209 standard. In the case of commercial or consensus standards, feedback is generated and received 

210 in accordance with the policies and procedures of the respective standards bodies. 

211 Announcements and public review are vital, but only the externally visible part of the process. 

212 Public outreach begins well before formal announcements and extends beyond the adoption of 

213 standards. NIST is deeply involved in the cryptographic research community, participating 

214 extensively in the community by attending research conferences; providing program committee 

215 members, speakers and reviewers for conferences and workshops; and writing papers on NIST 

216 research. NIST also invites and hosts guest researchers, postdoctoral fellows and visiting 

217 scholars; sometimes funds academic research; and provides services, such as the NIST 

218 Randomness Beacon, 6 for the research community. As a result, cryptographers around the world 

219 often know whom to contact at NIST in their area of interest. NIST encourages and receives 

220 valuable informal advice, often based on independent cryptanalysis, from researchers. 

221 NIST's previously discussed participation in SDOs provides another avenue for outreach and 

222 feedback. In many cases, NIST staff are contributors, editors or working-group chairs for 

223 proposed voluntary standards that use cryptography. NIST participates in the SDO standards 

224 process along with industry and companies involved in the design, development and 

225 implementation of cryptography. Such outreach promotes a two-way flow of information, and 

226 provides early feedback on the effects of NIST standards and the need for new or different 

227 standards. 



6 See http://www.nist.gov/itl/csd/ct/nist beacon.cfm 
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228 NIST must prioritize its participation within meetings, conferences, standards organizations and 

229 industry groups based on the stakeholders involved and the expected impact of involvement. 

230 There are also limits on the number of guest researchers and visiting scholars that can be 

231 accommodated, based on the available resources. Process and fairness require that some 

232 activities be kept confidential until announced publicly to everyone at the same time. Within 

233 these constraints, NIST strives to keep stakeholders informed by reaching out to the community, 

234 being accessible for discussions, listening to concerns, responding to questions, making 

235 important activities public, participating actively in the cryptographic research community, and 

236 supporting voluntary standards development efforts. 
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237 Appendix: Examples of Development Processes 

238 Advanced Encryption Standard 

239 During the 1990s, NIST wanted a block cipher standard that was stronger and faster than 

240 the existing Triple-DES standard, which was primarily used for encryption and message 

241 authentication. In January 1997 NIST announced its interest in the development of a 

242 successor to Triple-DES, to be called the Advanced Encryption Standard (AES). NIST 

243 requested feedback and held a public workshop to discuss the criteria for the design of 

244 this algorithm. NIST then announced the start of a competition and its rules and 

245 requirements in September 1997, calling for candidate submissions in nine months. 

246 NIST received 15 complete candidates, and held three conferences to review and winnow 

247 the candidates down to five finalists. After the third conference, NIST chose Rijndael to 

248 be the AES in October 2000, and in February 2001, formally proposed the AES standard, 

249 FIPS 197, in a Federal Register announcement soliciting public comment. The final 

250 approval of AES occurred on November 26, 2001. 

251 Block Cipher Modes of Operation 

252 FIPS 197 authorizes NIST Recommendations as a source for modes of operation for 

253 implementations of the AES algorithm. Recommendations for a variety of modes have 

254 been published, in a relatively agile manner under that authority, in the 800-38 series of 

255 Special Publications. Two sets of those modes originated in the Federal government: 1) 

256 the adaptations of the four DES encryption modes in FIPS 81 to the AES algorithm, and 

257 2) the key- wrapping modes that were developed by NSA at NIST's request. All of the 

258 other block cipher modes approved by NIST were based on proposals that were 

259 submitted for NIST's consideration from academia and industry, including both 

260 individual companies and standards groups. All mode proposals are posted on NIST's 

261 CSRC website, with an open invitation for public comments. 

262 The initial step in the development process is to determine whether a version of a mode 

263 proposal is appropriate to include in NIST's cryptographic toolkit of standards. The main 

264 considerations are: 1) whether the mode serves an important need, 2) whether existing 

265 modes in the toolkit, or other modes proposals, can adequately provide the needed 

266 properties/functionality, 3) whether the mode meets NIST's security requirements, and 4) 

267 for patented modes, whether acceptable royalty-free alternatives are available. NIST has 

268 often sought public input into these initial decisions, either from public workshops or 

269 through public comment periods. 

270 When NIST is interested in approving a mode proposal, the next step is the development 

271 of a draft special publication that specifies the mode. Normally, NIST develops the draft 

272 in consultation with the mode submitter. After passing internal review, the draft is posted 

273 on the CSRC website for a period of public comment, after which any received 

274 comments are also posted. NIST considers the public comments carefully and decides 
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275 whether to finalize the draft for publication, with appropriate revisions to address any 

276 remaining public or internal concerns. 

277 Since 2001, NIST has approved twelve block cipher modes of operation within six 

278 special publications in the 800-38 series. These modes provide confidentiality and/or 

279 authentication for a variety of general and special purpose applications, including modes 

280 designed for wireless local-area networks, disk encryption, and high-throughput Internet 

281 routers. A seventh document in the series, specifying modes for format-preserving 

282 encryption, is currently in development. 

283 Deterministic Random Bit Generators 

284 In 1998, NIST recognized that the random number generators described in FIPS 186-2 

285 would not be adequate for anticipated future requirements for the generation of random 

286 numbers. As a member of X9F1, a subcommittee of the American Standards Committee 

287 (ASC) X9 (the committee for Financial Services), NIST concluded that X9F1 would be 

288 an appropriate venue to develop a standard on random number generation, since the 

289 committee included members from several organizations with cryptographic expertise. A 

290 development team was formed to develop this standard (ANS X9.82) led by NIST and 

291 NSA staff. The standard was developed in four parts: a general discussion of random 

292 number generators (Part 1), requirements for entropy sources (Part 2), specifications for 

293 deterministic random bit generator (DRBG) algorithms (Part 3), and constructions for 

294 building Random Bit Generators (RBGs) from DRBGs and entropy sources (Part 4). 

295 During the development of Part 3 of ANS X9.82, a version of the document was provided 

296 to the International Standards Organization (ISO), where it became the basis for ISO/IEC 

297 18031. 

298 In order to obtain a wider review of the standard, include additional test and validation 

299 guidance that was not appropriate for the X9 standard, and allow a more efficient review 

300 and comment process, NIST incorporated the material into the SP 800-90 series of 

301 documents. This series specifies algorithms (in NIST SP 800-90A), requirements and 

302 tests for entropy sources (in NIST SP 800-90B), and constructions for combining the 

303 DRBG algorithms and entropy sources into Random Bit Generators (in NIST SP 800- 

304 90C). 

305 ANS X9.82, Part 3 became the basis for NIST SP800-90A. Part 3 of ANS X9.82 

306 contains three algorithms: HMAC_DRBG, CTR_DRBG and Dual_EC_DRBG. However, 

307 when SP 800-90A was developed, four algorithms were included: Hash_DRBG, 

308 HMAC_DRBG, CTR_DRBG and Dual_EC_DRBG. Hash_DRBG was originally 

309 designed in response to a request for a generator that would be appropriate for the 

310 generation of values with higher security requirements than were provided in the older 

311 random number generators specified in the Digital Signature Standard (FIPS 186-2). 

312 During the development of the SP 800-90 series, NIST has held several workshops, 

313 hosted discussions with organizations and experts involved in testing or designing 
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314 random bit generators, and provided the drafts of the SP 800-90 documents for public 

315 comment. All such feedback was considered for incorporation into the SP 800-90 

316 documents. 

317 Some in the cryptographic community have expressed concern about the 

3 1 8 Dual_EC_DRBG specified in SP 800-90A. In light of these concerns, NIST published an 

319 ITL Bulletin discussing the history of the document development and the issue of 

320 concern, provided the SP 800-90 documents for an additional public comment period, 

321 and advised against using the Dual_EC_DRBG pending the resolution of the security 

322 concerns. As part of our commitment to continuous improvement of our standards and 

323 guidelines, NIST will review these comments and make a determination of the 

324 appropriate action to take. 



7 See http://csrc.nist.gov/publications/nistbul 



10 



